Is Clair actually working? #2098
Description
Description of Problem / Feature Request
Hello! I'm collaborating with an academic research about Docker security and we would like to add Clair in our analysis, but we're having so many troubles to make this work... I mean, we tried to use the upstream and 4.7.4 Clair versions, followed the Clair documentation and the Red Hat documentation, downgraded Docker to the 19.3.13 version, used clairctl and Skopeo, and so many other things, but without any success 🥲
So, going straight forward, is Clair actually working? If yes, where can we find a proper guide to make this work? I know this sounds like we've some skill issue, but I swear that we tried everything possible (the summarized list of tries is below)
Thanks in advance!
Expected Outcome
Just work
Actual Outcome
Doesn't work
And here's the list of our tries (with a quick diagnostic due to the amount of items, so logs will be provided as you need):
- Starting a cluster via Compose: clairctl returns a 503 error
- Starting a cluster via make (all the 3 described targets) and clairctl: the same as the first item
- Starting a cluster via make (local-dev-quay target) and Skopeo: Quay container dies when copying system image
- Running a Clair container with its image built with Dockerfile: container fails to initiate due to wrong/missing configurations in the
config.yaml(even trying to fix the typos and removing what cause crashes, it still doesn't initiate) - Manually setting up Quay following RedHat Documentation: Quay Registry container dies because it cannot reach server hostname (e.g.
quay-server.example.com). In this case, the use of--network=hostmakes it reach this hostname, so it stops dying, however the container and its ports turns fully unreachable - Running Clair-Scanner with its cluster (isn't officially associated with Clair, but we also tried it): the client just returns a 400 error telling that Clair-DB (container) wasn't able to find Docker image layer(s)
Remembering that ALL the items above were tested with both upstream and 4.7.4 Clair versions, and both Docker 27.0.3 and 19.3.13 (in some "compatible" cases).
Environment
- Clair version/image: Upstream and 4.7.4
- Clair client name/version: Upstream and 4.7.4
- Host OS: Debian 12 (stable)
- Kernel (e.g.
uname -a): Linux debian 6.1.0-23-amd64 # 1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64 GNU/Linux - Kubernetes version (use
kubectl version): N/A - Network/Firewall setup: Just a regular LAN; N/A